Bug 9788 - 'acl:search = no' problem is not fully fixed and parameter is still required
Summary: 'acl:search = no' problem is not fully fixed and parameter is still required
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.5
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-12 14:35 UTC by Marc Muehlfeld
Modified: 2019-05-24 16:53 UTC (History)
3 users (show)

See Also:


Attachments
Level 10 debug log of a failed try to join Win7 (without acl:search=no parameter) (87.27 KB, application/x-bzip2)
2013-04-12 14:35 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2013-04-12 14:35:39 UTC
Created attachment 8768 [details]
Level 10 debug log of a failed try to join Win7 (without acl:search=no parameter)

I'm sorry, but the 'acl:search=no' workaround is still required and not fully fixed.

Yesterday we switched to 4.0.5 and I run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset all my ACLs. Then I recreated the delegation, so members of a group can join computers to the domain without having domain admin permissions (http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Add_delegation). The join as a member of that group worked as expected.

Then I removed the 'acl:search=no' parameter from smb.conf and restarted samba. Now XP says, when trying to join, 'access denied' and Win7 says 'wrong parameter' and the joins didn't work.

After I add the parameter again to smb.conf, the join worked fine again.
Comment 1 Andrew Bartlett 2013-05-21 02:02:56 UTC
As I indicated on the lists, we really need a concrete test (modification to acl.py hopefully) that fails against Samba and passes against Windows, in order to make progress here.
Comment 2 mray 2019-05-24 16:53:18 UTC
Without the 'acl:search=no' parameter in my domain, I found that 'samba-tool ldapcmp' fails between domain controllers. This is samba version 4.9.6.

If there is any additional information or testing I could provide, please let me know.